I recently came across a job posting for a cyber threat intelligence (CTI) analyst position. Given recent issues in the CTI marketplace with many individuals finding themselves in need of new roles, this at first glance appeared an excellent opportunity to pass on to those looking for work. However, with further scrutiny, the role appeared to be quite curious – a reasonably well compensated position for a critical infrastructure entity with fewer than 500 employees servicing a relatively small customer base. When viewed at with the outlandish posted qualifications (provided below) also in mind, the role appears as though it was posted based on outside consulting or similar guidance with little view to the actual needs or requirements of the organization in question.
Certainly, all organizations have distinct threat profiles and intelligence needs (although I would argue these overlap more than many would like to publicly acknowledge), but I would also argue that CTI has placed itself in a negative position through scope and mission creep as in the above example. The organization in question is hardly alone and merely provides a specific use case where a relatively small entity (even if in the critical infrastructure environment) finds themselves suddenly in need of CTI (often after some consultancy or other outside entity tells them such, or worse yet, an internal incident), resulting in initial overinvestment that will be followed in a year or two with functional collapse. The ending to this story is that the value perception of CTI is significantly damaged in the eyes of stakeholders as the cost of building a program is not met with noticeable improvement in organizational security posture, and CTI as a discipline comes under greater scrutiny for lack of (perceived) value in its presence or application.
Central to the above issue is a profound misunderstanding as to the application and use of CTI, and how to best apply this within organizations with limited resources or relatively small size. While it would be absurd to place an arbitrary headcount or network size as a necessary threshold for building and maintaining an organic CTI function, we can reasonably assume that not all organizations require such an internal capability. However, ALL organizations can benefit from a CTI perspective or mindset in operations and defense, informing risk-based decisions and improving resource allocation with an understanding of the threat environment.
The primary issue in many cases is organizations conflate the need for a CTI-based understanding with the need for a dedicated CTI function. Quite simply, this is not the case for many (and maybe even most) organizations. Rather than embodying CTI-driven approaches as a mindset supplementing or improving existing functions nearly all organizations will possess, from internal incident handling to executive decision making, many entities instead think CTI must be embodied in a specific person. This may be appropriate for large, complex, or well-resourced entities, but is inappropriate and (quite frankly) wasteful for others. The result is initial investment in people and tools are ultimately met with disappointment and divestment when the expected returns fail to materialize.
CTI finds itself in a self-inflicted crisis today as a result, with misguided investments in CTI-specific functions, actions, and expertise increasingly questioned for what value they generate for the organization. While many within CTI will crow that such actions are short-sighted and dangerous, the more appropriate response is to determine what went wrong and how a variety of organizations at multiple levels of maturity and resourcing could benefit from CTI. The answer to this discussion is CTI must find a way to teach practitioners of multiple backgrounds how to apply a CTI mindset in multiple fields, rather than simply viewing CTI as a dedicated discipline only properly executed and propagated by generating more dedicated CTI analysts.
If we fundamentally view CTI as a decision support function, improving the ability of individuals to make choices in information-limited and resource-constrained circumstances, having a dedicated analyst is a luxury but having CTI-informed processes is a necessity. Thus as an industry, CTI should aim not to churn out analysts well-versed in analysis of competing hypotheses (ACH) or supremely familiar with diamond model-oriented threat actor clustering. Rather, CTI should aim to extend the most appropriate and relevant aspects of the analyst and intelligence mindset to multiple functions in the risk and defense decision-making spaces.
This expanded view of CTI relevance will allow for the best parts of CTI (evidence-based investigation and analysis, consistent methodologies of information enrichment, and avoidance of cognitive bias) to extend to multiple roles economically. In doing so the defensive posture of many (if not most) organizations can be improved irrespective of their ability to buy a certain feed or employ an analyst. Such an approach requires humility on the part of CTI leaders and educators in accepting that we are not particularly unique or special, but rather one facet as part of a wider information security landscape. In embracing this approach, CTI can in fact prove itself to be an effective “force multiplier” for security decisions and applications even if the population of dedicated CTI analysts remains relatively static or growing only slowly.
Ultimately organizations such as that with the curious job posting have identified a legitimate need: threat-informed defense and decision making. Yet in seeking to fill that need, they have conflated roles and effects. Where a more appropriate response might be cost-effective CTI training and support through a reasonably-priced entity or no-cost industry association or government agency, instead the “we need CTI” demand is met with a created role which likely will cease to exist in two years. By identifying the distinction between roles and actions or results, organizations can avoid wasteful investments while also improving outcomes, and CTI can prove itself to be more effective and relevant to the needs of most entities.
0 Comments